Re: Custom Shell and Account Switching

From: YaronM (nospam)
Date: 12/23/04 

Date: Thu, 23 Dec 2004 14:05:01 +0200

Hi KM,

I use local policies for limiting the user environment. for example, disable
running the TaskManager. the local group policies do not differs between
user accounts like in a normal GPO in a domain- it is mandatory to everyone.
when I login as an Administrator I just block access to the GPO folder in
windows using NTFS permissions. than, when the admin login it gets a full
unlocked shell.
if I will launch the explorer without logging-off I will still have the
policies effect.

about the autologon- I need to test it. I might be wrong.

the Techinician can enter the Settings Menu through a small "Settings"
button which is secured by a password so that the user could not change the
menu settings.

thanks,

YaronM

"KM" <konstmor@nospam_yahoo.com> wrote in message
news:OAinnpN6EHA.2876@TK2MSFTNGP12.phx.gbl...
> Yaron,
>
>> thanks for your suggestions. it seems that the FUS feature is not
>> relevant in my case because it is not supported in a Domain environment.
>> the reason why I can't run the Explorere shell using RunAs from the User
>> logon is that I use local policies to disable the user environment.
>> therefore, the policies will effect the Explorer that I will execute.
>
> I am not clear what you meant here. How policies of your user account can
> affect Explorer that is launched under Admin account?
>
>> I must do a full log-off and later logon again.
>> the autologon feature will not help in this case because it is read by
>> the system only on boot time and not after the system already booted,
>> done auto-logon to the user and then logged-off.
>
> This is not true. The autologon settings are read on every "logon" even
> which also happens when you do a log off.
> Please test it on target device to see how it works. (just make sure you
> don't forget to set ForceAutoLogon value).
>
>> after re-thinking the situation, the limitation I have in the development
>> is actually not a problem. I will create another security-layer to the
>> user and Admin, where:
>> 1. user works in a limited custom shell and can only operate application
>> and turn-off the machine.
>> 2. a technical support technician can enter a "settings" menu where it
>> can
>
> And how technician can enter (see) the Setting menu?
>
>
> KM
>
>> change a few settings of the user's custom-shell and can log-off the user
>> to recieve the Ctrl-Alt-Delete logon screen. the Settings menu will only
>> have a "save changes" button to commit the changes using the EWF.
>> 3. a network Administrator with the Administrator account password can
>> enter the local Admin account using its credentials and recieve a
>> full-featured Explorer Shell and the ability to enable/disable the EWF.
>>
>> thanks for your help.
>> I hope my toughts will help someone else too.
>>
>> Cheers,
>>
>> YaronM
>>
>>
>> "KM" <konstmor@nospam_yahoo.com> wrote in message
>> news:OwMx9gM6EHA.4040@TK2MSFTNGP14.phx.gbl...
>>> Yaron,
>>>
>>> Do you want to log in to the Administartor account automatically?
>>> If so, you can play with Autologon settings to switch the user/password
>>> to Administrator account.
>>> Also make sure that [HKLM\SOFTWARE\Microsoft\Windows
>>> NT\CurrentVersion\Winlogon],"ForceAutoLogon"="1"
>>>
>>> As soon as you logged on to Administator account, you can switch
>>> AutoAdmin setttings back to the User account.
>>>
>>> KM
>>>
>>>> Hi,
>>>>
>>>> I'm working on a custom shell for my XPe system (written in VB6).
>>>> the system should automatically login to a limited-user account and run
>>>> the shell.
>>>> I need to add a button to the shell that when clicked will
>>>> automatically log-off the current limited-user and login again as the
>>>> administrator.
>>>> I'm not sure how can it be done because the log-off process kills all
>>>> running processes so that the batch/script can't continue to load the
>>>> admin..
>>>> I thought maybe I should somehow use the Fast-User-Switching feature
>>>> for that purpose but I don't know how to do that.
>>>>
>>>> my main purpose of doing that is to create a secure working environment
>>>> through a limited-user using a custom-shell, but still allowing an
>>>> Administrator
>>>> to easily switch back to the Explorer shell without having to log-off
>>>> and re-login.
>>>>
>>>> If you have any ideas or tips I would really appreiciate your help.
>>>>
>>>> thanks,
>>>>
>>>> YaronM
>>>
>>>
>>
>>
>
>